Sec Ddos Attack Prevn

Protection Against Distributed Denial of Service
Attacks
The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of
Service (DoS) attacks at the global level (for all firewall sessions) and at the VPN routing and forwarding
(VRF) level. In Cisco IOS XE Release 3.4S and later releases, you can configure the aggressive aging of
firewall sessions, event rate monitoring of firewall sessions, the half-opened connections limit, and global
TCP SYN cookie protection to prevent distributed DoS attacks.
• Finding Feature Information, page 1

• Information About Protection Against Distributed Denial of Service Attacks, page 2
• How to Configure Protection Against Distributed Denial of Service Attacks, page 4
• Configuration Examples for Protection Against Distributed Denial of Service Attacks, page 30
• Additional References for Protection Against Distributed Denial of Service Attacks, page 32
• Feature Information for Protection Against Distributed Denial of Service Attacks, page 33
Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

1
Protection Against Distributed Denial of Service Attacks
Information About Protection Against Distributed Denial of Service Attacks
Information About Protection Against Distributed Denial of

Service Attacks
Aggressive Aging of Firewall Sessions

The Aggressive Aging feature provides the firewall the capability of aggressively aging out sessions to make
room for new sessions, thereby protecting the firewall session database from filling. The firewall protects its
resources by removing idle sessions. The Aggressive Aging feature allows firewall sessions to exist for a
shorter period of time defined by a timer called aging-out time.
The Aggressive Aging feature includes thresholds to define the start and end of the aggressive aging
period—high and low watermarks. The aggressive aging period starts when the session table crosses the high
watermark and ends when it falls below the low watermark. During the aggressive aging period, sessions will
exist for a shorter period of time that you have configured by using the aging-out time. If an attacker initiates
sessions at a rate that is faster than the rate at which the firewall terminates sessions, all resources that are
allocated for creating sessions are used and all new connections are rejected. To prevent such attacks, you
can configure the Aggressive Aging feature to aggressively age out sessions. This feature is disabled by
default.
You can configure aggressive aging for half-opened sessions and total sessions at the box level (box refers
to the entire firewall session table) and the virtual routing and forwarding (VRF) level. If you have configured
this feature for total sessions, all sessions that consume firewall session resources are taken into account. Total
sessions comprise established sessions, half-opened sessions, and sessions in the imprecise session database.
(A TCP session that has not yet reached the established state is called a half-opened session.)
A firewall has two session databases: the session database and the imprecise session database. The session
database contains sessions with 5-tuple (the source IP address, the destination IP address, the source port, the
destination port, and the protocol). A tuple is an ordered list of elements. The imprecise session database
contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on). In the case of
aggressive aging for half-opened sessions, only half-opened sessions are considered.
You can configure an aggressive aging-out time for Internet Control Message Protocol (ICMP), TCP, and
UDP firewall sessions. The aging-out time is set by default to the idle time.
Event Rate Monitoring Feature

The Event Rate Monitoring feature monitors the rate of predefined events in a zone. The Event Rate Monitoring
feature includes basic threat detection, which is the ability of a security device to detect possible threats,
anomalies, and attacks to resources inside the firewall and to take action against them. You can configure a
basic threat detection rate for events. When the incoming rate of a certain type of event exceeds the configured
threat detection rate, event rate monitoring considers this event as a threat and takes action to stop the threat.
Threat detection inspects events only on the ingress zone (if the Event Rate Monitoring feature is enabled on
the ingress zone).
The network administrator is informed about the potential threats via an alert message (syslog or high-speed
logger [HSL]) and can take actions such as detecting the attack vector, detecting the zone from which the
attack is coming, or configuring devices in the network to block certain behaviors or traffic.
The Event Rate Monitoring feature monitors the following types of events:

2
Event Rate Monitoring Feature
• Firewall drops due to basic firewall checks failure—This can include zone or zone-pair check failures,
or firewall policies configured with the drop action, and so on.
• Firewall drops due to Layer 4 inspection failure—This can include TCP inspections that have failed
because the first TCP packet is not a synchronization (SYN) packet.
• TCP SYN cookie attack—This can include counting the number of SYN packets that are dropped and
the number of SYN cookies that are sent as a spoofing attack.
The Event Rate Monitoring feature monitors the average rate and the burst rate of different events. Each event
type has a rate object that is controlled by an associated rate that has a configurable parameter set (the average
threshold, the burst threshold, and a time period). The time period is divided into time slots; each time slot is
1/30th of the time period.
The average rate is calculated for every event type. Each rate object holds 30 completed sampling values plus
one value to hold the current ongoing sampling period. The current sampling value replaces the oldest calculated
value and the average is recalculated. The average rate is calculated during every time period. If the average
rate exceeds the average threshold, the Event Rate Monitoring feature will consider this as a possible threat,
update the statistics, and inform the network administrator.
The burst rate is implemented by using the token bucket algorithm. For each time slot, the token bucket is
filled with tokens. For each event that occurs (of a specific event type), a token is removed from the bucket.
An empty bucket means that the burst threshold is reached, and the administrator receives an alarm through
the syslog or HSL. You can view the threat detection statistics and learn about possible threats to various
events in the zone from the output of the show policy-firewall stats zone command.
You must first enable basic threat detection by using the threat-detection basic-threat command. Once basic
threat detection is configured, you can configure the threat detection rate. To configure the threat detection
rate, use the threat-detection rate command.
The following table describes the basic threat detection default settings that are applicable if the Event Rate
Monitoring feature is enabled.
Table 1: Basic Threat Detection Default Settings
Packet Drop Reason Threat Detection Settings

Basic firewall drops average-rate 400 packets per second (pps)
burst-rate 1600 pps
rate-interval 600 seconds
Inspection-based firewall drops average-rate 400 pps

burst-rate 1600 pps
SYN attack firewall drops average-rate 100 pps

burst-rate 200 pps

3
Half-Opened Connections Limit
Half-Opened Connections Limit

The firewall session table supports the limiting of half-opened firewall connections. Limiting the number of
half-opened sessions will defend the firewall against attacks that might fill the firewall session table at the
per-box level or at the virtual routing and forwarding (VRF) level with half-opened sessions and prevent
sessions from being established. The half-opened connection limit can be configured for Layer 4 protocols,
Internet Control Message Protocol (ICMP), TCP, and UDP. The limit set to the number of UDP half-opened
sessions will not affect the TCP or ICMP half-opened sessions. When the configured half-opened session
limit is exceeded, all new sessions are rejected and a log message is generated, either in syslog or in the
high-speed logger (HSL).
The following sessions are considered as half-opened sessions:
• TCP sessions that have not completed the three-way handshake.
• UDP sessions that have only one packet detected in the UDP flow.
• ICMP sessions that do not receive a reply to the ICMP echo request or the ICMP time-stamp request.
TCP SYN-Flood Attacks

You can configure the global TCP SYN-flood limit to limit SYN flood attacks. TCP SYN-flooding attacks
are a type of denial of service (DoS) attack. When the configured TCP SYN-flood limit is reached, the firewall
verifies the source of sessions before creating more sessions. Usually, TCP SYN packets are sent to a targeted
end host or a range of subnet addresses behind the firewall. These TCP SYN packets have spoofed source IP
addresses. A spoofing attack is when a person or program tries to use false data to gain access to resources
in a network. TCP SYN flooding can take up all resources on a firewall or an end host, thereby causing denial
of service to legitimate traffic. You can configure TCP SYN-flood protection at the VRF level and the zone
level.
SYN flood attacks are divided into two types:
• Host flood—SYN flood packets are sent to a single host intending to utilize all resources on that host.
• Firewall session table flood—SYN flood packets are sent to a range of addresses behind the firewall,
with the intention of exhausting the session table resources on the firewall, thereby denying resources
to the legitimate traffic going through the firewall.
How to Configure Protection Against Distributed Denial of

Service Attacks
Configuring a Firewall
In this task, you will do the following:
• Configure a firewall.
• Create a security source zone.

4
• Create a security destination zone.

• Create a security zone pair by using the configured source and destination zones.
• Configure an interface as a zone member.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect match-any class-map-name
4. match protocol {icmp | tcp | udp}
5. exit
6. parameter-map type inspect global
7. redundancy
8. exit
9. policy-map type inspect policy-map-name
10. class type inspect class-map-name
11. inspect
12. exit
13. class class-default
14. drop
15. exit
16. exit
17. zone security security-zone-name
18. exit
20. exit
21. zone-pair security zone-pair-name source source-zone destination destination-zone
22. service-policy type inspect policy-map-name
23. exit
24. interface type number
25. ip address ip-address mask
26. encapsulation dot1q vlan-id
27. zone-member security security-zone-name
28. end
29. To attach a zone to another interface, repeat Steps 21 to 25.
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

5

• Enter your password if prompted.
Example:
Device> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Device# configure terminal
Step 3 class-map type inspect match-any class-map-name Creates an application-specific inspect type class map and enters
QoS class-map configuration mode.
Example:
Device(config)# class-map type inspect
match-any ddos-class
Step 4 match protocol {icmp | tcp | udp} Configures the match criterion for a class map based on the
specified protocol.
Example:
Device(config-cmap)# match protocol tcp
Step 5 exit Exits QoS class-map configuration mode and enters global
configuration mode.
Example:
Device(config-cmap)# exit
Step 6 parameter-map type inspect global Defines a global inspect parameter map and enters
parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type inspect
global
Step 7 redundancy Enables firewall high availability.
Example:
Device(config-profile)# redundancy
Step 8 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 9 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect
ddos-fw

6

Step 10 class type inspect class-map-name Specifies the traffic class on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect
ddos-class
Step 11 inspect Enables stateful packet inspection.
Example:
Device(config-pmap-c)# inspect
Step 12 exit Exits QoS policy-map class configuration mode and enters QoS
policy-map configuration mode.
Example:
Device(config-pmap-c)# exit
Step 13 class class-default Configures the default class on which an action is to be

performed and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class class-default
Step 14 drop Allows traffic to pass between two interfaces in the same zone.
Example:
Device(config-pmap-c)# drop
Step 15 exit Exits QoS policy-map class configuration mode and enters QoS
Example:
Device(config-pmap-c)# exit
Step 16 exit Exits QoS policy-map configuration mode and enters global
configuration mode.
Example:
Device(config-pmap)# exit
Step 17 zone security security-zone-name Creates a security zone and enters security zone configuration
mode.
Example: • You need two security zones to create a zone pair—a
Device(config)# zone security private
source and a destination zone.
Step 18 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit

7

Step 19 zone security security-zone-name Creates a security zone and enters security zone configuration
mode.
Example: • You need two security zones to create a zone pair—a
Device(config)# zone security public
source and a destination zone.
configuration mode.
Example:
Step 21 zone-pair security zone-pair-name source Creates a zone pair and enters security zone-pair configuration
source-zone destination destination-zone mode.
Example:
Device(config)# zone-pair security
private2public source private destination
public
Step 22 service-policy type inspect policy-map-name Attaches a policy map to a top-level policy map.
Example:
Device(config-sec-zone-pair)# service-policy
type inspect ddos-fw
Step 23 exit Exits security zone-pair configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone-pair)# exit
Step 24 interface type number Configures an interface and enters subinterface configuration
mode.
Example:
Device(config)# interface gigabitethernet
0/1/0.1
Step 25 ip address ip-address mask Configures an IP address for the subinterface.
Example:
Device(config-subif)# ip address 10.1.1.1
255.255.255.0
Step 26 encapsulation dot1q vlan-id Sets the encapsulation method used by the interface.
Example:
Device(config-subif)# encapsulation dot1q
2
Step 27 zone-member security security-zone-name Configures the interface as a zone member.

8
Configuring the Aggressive Aging of Firewall Sessions

• For the security-zone-name argument, you must configure
Example: one of the zones that you had configured by using the
Device(config-subif)# zone-member security zone security command.
private
• When an interface is in a security zone, all traffic to and
from that interface (except traffic going to the device or
initiated by the device) is dropped by default. To permit
traffic through an interface that is a zone member, you
must make that zone part of a zone pair to which you
apply a policy. If the policy permits traffic (via inspect
or pass actions), traffic can flow through the interface.
Step 28 end Exits subinterface configuration mode and enters privileged

EXEC mode.
Example:
Device(config-subif)# end
Step 29 To attach a zone to another interface, repeat Steps —

21 to 25.

You can configure the Aggressive Aging feature for per-box (per-box refers to the entire firewall session
table), default-VRF, and per-VRF firewall sessions. Before the Aggressive Aging feature can work, you must
configure the aggressive aging and the aging-out time of firewall sessions.
Perform the following tasks to configure the aggressive aging of firewall sessions.
Configuring per-Box Aggressive Aging

Per-box refers to the entire firewall session table. Any configuration that follows the parameter-map type
inspect-global command applies to the box.

9
SUMMARY STEPS
1. enable
3. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
4. per-box max-incomplete number aggressive-aging high {value low value | percent percent low percent
percent}
5. per-box aggressive-aging high {value low value | percent percent low percent percent}
6. exit
7. parameter-map type inspect parameter-map-name
8. tcp synwait-time seconds [ageout-time seconds]
9. end
10. show policy-firewall stats global
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 Enter one of the following commands: Configures a global parameter map for connecting thresholds and
timeouts and enters parameter-map type inspect configuration mode.
• Based on your release, the parameter-map type
inspect-global and the parameter-map type inspect global
commands are supported. You cannot configure both these
commands together.
Example:
Device(config)# parameter-map type • Skip Steps 4 and 5 if you configure the parameter-map type
inspect-global inspect-global command.
global
Note If you configure the parameter-map type inspect-global
command, per-box configurations are not supported
because, by default, all per-box configurations apply to all
firewall sessions.

10

Step 4 per-box max-incomplete number Configures the maximum limit and the aggressive aging rate for
aggressive-aging high {value low value | percent half-opened sessions in the firewall session table.
percent low percent percent}
Example:
Device(config-profile)# per-box
max-incomplete 2000 aggressive-aging high
1500 low 1200
Step 5 per-box aggressive-aging high {value low value Configures the aggressive aging limit of total sessions.
| percent percent low percent percent}
Example:
aggressive-aging high 1700 low 1300
Example:
Step 7 parameter-map type inspect Configures an inspect-type parameter map for connecting thresholds,
parameter-map-name timeouts, and other parameters pertaining to the inspect action and
enters parameter-map type inspect configuration mode.
Example:
pmap1
Step 8 tcp synwait-time seconds [ageout-time seconds] Specifies how long the software will wait for a TCP session to reach
the established state before dropping the session.
Example: • After aggressive aging is enabled, the SYN wait timer of the
Device(config-profile)# tcp synwait-time
30 ageout-time 10 oldest TCP connections are reset from the default to the
configured ageout time. In this example, instead of waiting
for 30 seconds for connections to timeout, the timeout of the
oldest TCP connections are set to 10 seconds. Aggressive aging
is disabled when the connections drop below the low
watermark.
Step 9 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Step 10 show policy-firewall stats global Displays global firewall statistics information.
Example:
Device# show policy-firewall stats global

11
Configuring Aggressive Aging for a Default VRF

When you configure the max-incomplete aggressive-aging command, it applies to the default VRF.
SUMMARY STEPS
1. enable
3. Enters one of the following commands:
4. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
5. session total number [aggressive-aging high {value low value | percent percent low percent percent}]
6. exit
9. end
10. show policy-firewall stats vrf global
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 Enters one of the following commands: Configures a global parameter map for connecting thresholds and
commands together.
Example:
Device(config)# parameter-map type • Skip Step 5 if you configure the parameter-map type
global

12

because, by default, all per-box configurations apply to
all firewall sessions.
Step 4 max-incomplete number aggressive-aging high Configures the maximum limit and the aggressive aging limit of
{value low value | percent percent low percent half-opened firewall sessions.
percent}
Example:
Device(config-profile)# max-incomplete 3455
Step 5 session total number [aggressive-aging high Configures the total limit and the aggressive aging limit for total
{value low value | percent percent low percent firewall sessions.
percent}]
Example:
Device(config-profile)# session total 1000
aggressive-aging high percent 80 low
percent 60
Example:
Step 7 parameter-map type inspect parameter-map-name Configures an inspect-type parameter map for connecting thresholds,
timeouts, and other parameters pertaining to the inspect action and
Example: enters parameter-map type inspect configuration mode.
pmap1
Example: • After aggressive aging is enabled, the SYN wait timer of the
configured ageout time. In this example, instead of waiting
for 30 seconds for connections to timeout, the timeout of the
oldest TCP connections are set to 10 seconds. Aggressive
aging is disabled when the connections drop below the low
watermark.
Example:

13

Step 10 show policy-firewall stats vrf global Displays global VRF firewall policy statistics.
Example:
Device# show policy-firewall stats vrf
global
Configuring the Aging Out of Firewall Sessions

You can configure the aging out of ICMP, TCP, or UDP firewall sessions.
SUMMARY STEPS
1. enable
4. vrf vrf-name inspect vrf-pmap-name

5. exit
7. tcp idle-time seconds [ageout-time seconds]
9. exit
11. class type inspect match-any class-map-name
12. inspect parameter-map-name
13. end
14. show policy-firewall stats vrf vrf-pmap-name
DETAILED STEPS

Example:
Device> enable

14

Example:
Step 3 Enter one of the following commands: Configures a global parameter map and enters parameter-map type
inspect configuration mode.
• Based on your release, the parameter-map type inspect-global
and the parameter-map type inspect global commands are
supported. You cannot configure both these commands together.
Example: • Skip Step 4 if you configure the parameter-map type

Device(config)# parameter-map type inspect-global command.
inspect-global
Device(config)# parameter-map type
inspectglobal Note If you configure the parameter-map type inspect-global
command, per-box configurations are not supported because,
by default, all per-box configurations apply to all firewall
sessions.
Step 4 vrf vrf-name inspect vrf-pmap-name Binds a VRF with a parameter map.
Example:
Device(config-profile)# vrf vrf1 inspect
vrf1-pmap
Example:
Step 6 parameter-map type inspect Configures an inspect-type parameter map for connecting thresholds,
parameter-map-name timeouts, and other parameters pertaining to the inspect action and
enters parameter-map type inspect configuration mode.
Example:
inspect pmap1
Step 7 tcp idle-time seconds [ageout-time seconds] Configures the timeout for idle TCP sessions and the aggressive
aging-out time for TCP sessions.
Example: • You can also configure the tcp finwait-time command to
Device(config-profile)# tcp idle-time
3000 ageout-time 100 specify how long a TCP session will be managed after the
firewall detects a finish (FIN) exchange, or you can configure
the tcp synwait-time command to specify how long the
software will wait for a TCP session to reach the established
state before dropping the session.

15

Example: • When aggressive aging is enabled, the SYN wait timer of the
configured ageout time. In this example, instead of waiting for
30 seconds for connections to timeout, the timeout of the oldest
TCP connections are set to 10 seconds. Aggressive aging is
enabled when the connections drop below the low watermark.
Example:
Step 10 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters QoS
Example:
ddos-fw
Step 11 class type inspect match-any class-map-name Specifies the traffic class on which an action is to be performed and
enters QoS policy-map class configuration mode.
Example:
Step 12 inspect parameter-map-name Enables stateful packet inspection for the parameter map.
Example:
Device(config-pmap-c)# inspect pmap1
Step 13 end Exits QoS policy-map class configuration mode and enters privileged
EXEC mode.
Example:
Device(config-pmap-c)# end
Step 14 show policy-firewall stats vrf vrf-pmap-name Displays VRF-level policy firewall statistics.
Example:
vrf1-pmap
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap
VRF: vrf1, Parameter-Map: vrf1-pmap

16
Interface reference count: 2

Total Session Count(estab + half-open): 270, Exceed: 0
Total Session Aggressive Aging Period Off, Event Count: 0
Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0
TCP Syn Flood Half Open Count: 0, Exceed: 12

Half Open Aggressive Aging Period Off, Event Count: 0
Configuring per-VRF Aggressive Aging
SUMMARY STEPS
1. enable
3. ip vrf vrf-name
4. rd route-distinguisher
5. route-target export route-target-ext-community
6. route-target import route-target-ext-community
7. exit
8. parameter-map type inspect-vrf vrf-pmap-name
9. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
10. session total number [aggressive-aging {high value low value | percent percent low percent percent}]
11. alert on
12. exit

15. exit
17. tcp idle-time seconds [ageout-time seconds]
19. exit
21. class type inspect match-any class-map-name
22. inspect parameter-map-name
23. end

17
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 ip vrf vrf-name Defines a VRF instance and enters VRF configuration mode.
Example:
Device(config)# ip vrf ddos-vrf1
Step 4 rd route-distinguisher Specifies a route distinguisher (RD) for a VRF instance.
Example:
Device(config-vrf)# rd 100:2
Step 5 route-target export route-target-ext-community Creates a route-target extended community and exports the
routing information to the target VPN extended community.
Example:
Device(config-vrf)# route-target export 100:2
Step 6 route-target import route-target-ext-community Creates a route-target extended community and imports routing
information from the target VPN extended community.
Example:
Device(config-vrf)# route-target import 100:2
Step 7 exit Exits VRF configuration mode and enters global configuration
mode.
Example:
Device(config-vrf)# exit
Step 8 parameter-map type inspect-vrf vrf-pmap-name Configures an inspect VRF-type parameter map and enters
Example:
inspect-vrf vrf1-pmap
Step 9 max-incomplete number aggressive-aging high Configures the maximum limit and the aggressive aging limit
{value low value | percent percent low percent for half-opened sessions.
percent}
Example:

18

Step 10 session total number [aggressive-aging {high value Configures the total session limit and the aggressive aging limit
low value | percent percent low percent percent}] for the total sessions.
• You can configure the total session limit as an absolute
Example: value or as a percentage.
aggressive-aging high percent 80 low percent
60
Step 11 alert on Enables the console display of stateful packet inspection alert
messages.
Example:
Device(config-profile)# alert on
Example:
Step 13 Enter one of the following commands: Configures a global parameter map and enters parameter-map
type inspect configuration mode.
inspect-global and the parameter-map type inspect
global commands are supported. You cannot configure
both these commands together.
Example:
Device(config)# parameter-map type • Skip Step 14 if you configure the parameter-map type
global
Note If you configure the parameter-map type
inspect-global command, per-box configurations are
not supported because, by default, all per-box
configurations apply to all firewall sessions.
Step 14 vrf vrf-name inspect vrf-pmap-name Binds a VRF with a parameter map.
Example:
vrf1-pmap
Example:
Step 16 parameter-map type inspect parameter-map-name Configures an inspect-type parameter map for connecting
thresholds, timeouts, and other parameters pertaining to the
Example: inspect action and enters parameter-map type inspect
Device(config)# parameter-map type inspect configuration mode.
pmap1

19

Step 17 tcp idle-time seconds [ageout-time seconds] Configures the timeout for idle TCP sessions and the aggressive
aging-out time for TCP sessions.
Example:
Device(config-profile)# tcp idle-time 3000
ageout-time 100
Step 18 tcp synwait-time seconds [ageout-time seconds] Specifies how long the software will wait for a TCP session to
reach the established state before dropping the session.
Example: • When aggressive aging is enabled, the SYN wait timer of
Device(config-profile)# tcp synwait-time 30
ageout-time 10 the oldest TCP connections are reset from the default to
the configured ageout time. In this example, instead of
waiting for 30 seconds for connections to timeout, the
timeout of the oldest TCP connections are set to 10
seconds. Aggressive aging is disabled when the
connections drop below the low watermark.
Example:
Step 20 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters
QoS policy-map configuration mode.
Example:
ddos-fw
Step 21 class type inspect match-any class-map-name Specifies the traffic (class) on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Step 22 inspect parameter-map-name Enables stateful packet inspection for the parameter map.
Example:
Step 23 end Exits QoS policy-map class configuration mode and enters
Example:
Device(config-pmap-c)# end
Example:
vrf1-pmap

20
Configuring Firewall Event Rate Monitoring
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap
VRF: vrf1, Parameter-Map: vrf1-pmap

Interface reference count: 2
Total Session Count(estab + half-open): 80, Exceed: 0
Total Session Aggressive Aging Period Off, Event Count: 0
Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0
TCP Syn Flood Half Open Count: 0, Exceed: 116

Half Open Aggressive Aging Period Off, Event Count: 0

SUMMARY STEPS
1. enable
3. parameter-map type inspect-zone zone-pmap-name
4. alert on
5. threat-detection basic-threat
6. threat-detection rate fw-drop average-time-frame seconds average-threshold packets-per-second
burst-threshold packets-per-second
7. threat-detection rate inspect-drop average-time-frame seconds average-threshold packets-per-second
8. threat-detection rate syn-attack average-time-frame seconds average-threshold packets-per-second
9. exit
11. protection parameter-map-name
12. exit
13. zone-pair security zone-pair-name source source-zone destination destination-zone
14. end
15. show policy-firewall stats zone

21
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 parameter-map type inspect-zone zone-pmap-name Configures an inspect-zone parameter map and enters
Example:
Device(config)# parameter-map type inspect-zone
zone-pmap1
Step 4 alert on Enables the console display of stateful packet inspection

alert messages for a zone.
Example: • You can use the log command to configure the
logging of alerts either to the syslog or to the
high-speed logger (HSL).
Step 5 threat-detection basic-threat Configures basic threat detection for a zone.
Example:
Device(config-profile)# threat-detection
basic-threat
Step 6 threat-detection rate fw-drop average-time-frame seconds Configures the threat detection rate for firewall drop
average-threshold packets-per-second burst-threshold events.
packets-per-second
• You must configure the threat-detection
basic-threat command before you configure the
Example: threat-detection rate command.
Device(config-profile)# threat-detection rate
fw-drop average-time-frame 600 average-threshold
100 burst-threshold 100
Step 7 threat-detection rate inspect-drop average-time-frame Configures the threat detection rate for firewall
seconds average-threshold packets-per-second inspection-based drop events.
Example:
inspect-drop average-time-frame 600
average-threshold 100 burst-threshold 100

22

Step 8 threat-detection rate syn-attack average-time-frame Configures the threat detection rate for TCP SYN attack
seconds average-threshold packets-per-second events.
Example:
syn-attack average-time-frame 600 average-threshold
Step 9 exit Exits parameter-map type inspect configuration mode

and enters global configuration mode.
Example:
Step 10 zone security security-zone-name Creates a security zone and enters security zone
configuration mode.
Example:
Step 11 protection parameter-map-name Attaches the inspect-zone parameter map to the zone
and applies the features configured in the inspect-zone
Example: parameter map to the zone.
Device(config-sec-zone)# protection zone-pmap1
configuration mode.
Example:
Step 13 zone-pair security zone-pair-name source source-zone Creates a zone pair and enters security zone-pair
destination destination-zone configuration mode.
Example:
Device(config)# zone-pair security private2public
source private destination public
Step 14 end Exits security zone-pair configuration mode and enters

Example:
Device(config-sec-zone-pair)# end
Step 15 show policy-firewall stats zone Displays policy firewall statistics at the zone level.
Example:
Device# show policy-firewall stats zone

23
Configuring the per-Box Half-Opened Session Limit

Per-box refers to the entire firewall session table. Any configuration that follows the parameter-map type
inspect-global command applies to the box.
SUMMARY STEPS
1. enable
4. alert on
5. per-box max-incomplete number
6. session total number
7. end
8. show policy-firewall stats global
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 Enter one of the following commands: Configures a global parameter map for connecting thresholds and
commands together.
Example:
Device(config)# parameter-map type • Skip to Steps 5 and 6 if you configure the parameter-map
inspect-global type inspect-global command.
global
because, by default, all per-box configurations apply to
all firewall sessions.

24

messages.
Example:
Step 5 per-box max-incomplete number Configures the maximum number of half-opened connections for
the firewall session table.
Example:
max-incomplete 12345
Step 6 session total number Configures the total session limit for the firewall session table.
Example:
Example:
Step 8 show policy-firewall stats global Displays global firewall statistics information.
Example:
Device# show policy-firewall stats global

25
Configuring the Half-Opened Session Limit for an Inspect-VRF Parameter Map

SUMMARY STEPS
1. enable
3. parameter-map type inspect-vrf vrf-name
4. alert on
5. max-incomplete number
6. session total number
7. exit
9. alert on
11. end
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 parameter-map type inspect-vrf vrf-name Configures an inspect-VRF parameter map and enters
Example:
inspect-vrf vrf1-pmap
messages.
Example:

26

Step 5 max-incomplete number Configures the maximum number of half-opened connections
per VRF.
Example:
Step 6 session total number Configures the total session limit for a VRF.
Example:
Example:
Step 8 Enter one of the following commands: Configures a global parameter map for connecting thresholds
and timeouts and enters parameter-map type inspect
• parameter-map type inspect-global configuration mode.
• Based on your release, you can use either the
parameter-map type inspect-global command or the
parameter-map type inspect global command. You
Example: cannot configure both these commands together.
inspect-global • Skip Step 10 if you configure the parameter-map type
global inspect-global command.
Note If you configure the parameter-map type

inspect-global command, per-box configurations are
not supported because, by default, all per-box
configurations apply to all firewall sessions.
messages.
Example:
Step 10 vrf vrf-name inspect vrf-pmap-name Binds the VRF to the global parameter map.
Example:
vrf1-pmap
Example:

27
Configuring the Global TCP SYN Flood Limit

Example:
vrf1-pmap

SUMMARY STEPS
1. enable
4. alert on
5. per-box tcp syn-flood limit number
6. end
7. show policy-firewall stats vrf global
DETAILED STEPS

Example:
Device> enable
Example:
Step 3 Enter one of the following commands: Configures a global parameter map and enters parameter-map type
inspect configuration mode.
• Based on your release, you can configure either the
parameter-map type inspect-global command or the
parameter-map type inspect global command. You cannot
configure both these commands together.

28

• Skip Step 5 if you configure the parameter-map type
Example: inspect-global command.
inspect-global Note If you configure the parameter-map type inspect-global
global command, per-box configurations are not supported
because, by default, all per-box configurations apply to all
firewall sessions.
messages.
Example:
Step 5 per-box tcp syn-flood limit number Limits the number of TCP half-opened sessions that trigger SYN
cookie processing for new SYN packets.
Example:
Device(config-profile)# per-box tcp
syn-flood limit 500
Example:
Step 7 show policy-firewall stats vrf global (Optional) Displays the status of the global VRF firewall policy.
• The command output also displays how many TCP half-opened
Example: sessions are present.
global
Example
The following is sample output from the show policy-firewall stats vrf global command:
Device# show policy-firewall stats vrf global
Global table statistics

total_session_cnt: 0
exceed_cnt: 0
tcp_half_open_cnt: 0
syn_exceed_cnt: 0

29
Configuration Examples for Protection Against Distributed Denial of Service Attacks
Configuration Examples for Protection Against Distributed

Denial of Service Attacks
Example: Configuring a Firewall

Router# configure terminal
Router(config)# class-map type inspect match-any ddos-class
Router(config-cmap)# match protocol tcp
Router(config-cmap-c)# exit
Router(config)# parameter-map type inspect global
Router(config-profile)# redundancy
Router(config-profile)# exit
Router(config)# policy-map type inspect ddos-fw
Router(config-pmap)# class type inspect ddos-class
Router(config-pmap-c)# inspect
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# zone security private
Router(config-sec-zone)# exit
Router(config)# zone security public
Router(config-sec-zone)# exit
Router(config)# zone-pair security private2public source private destination public
Router((config-sec-zone-pair)# service-policy type inspect ddos-fw
Router((config-sec-zone-pair)# exit
Router(config)# interface gigabitethernet 0/1/0.1
Router(config-subif)# ip address 10.1.1.1 255.255.255.0
Router(config-subif)# encapsulation dot1q 2
Router(config-subif)# zone-member security private
Router(config-subif)# exit
Router(config)# interface gigabitethernet 1/1/0.1
Router(config-subif)# ip address 10.2.2.2 255.255.255.0
Router(config-subif)# encapsulation dot1q 2
Router(config-subif)# zone-member security public
Router(config-subif)# end
Example: Configuring the Aggressive Aging of Firewall Sessions
Example: Configuring per-Box Aggressive Aging

Device(config)# parameter-map type inspect global
Device(config-profile)# per-box max-incomplete 2000 aggressive-aging 1500 low 1200
Device(config-profile)# per-box aggressive-aging high 1700 low 1300
Device(config)# parameter-map type inspect pmap1
Device(config-profile)# tcp synwait-time 30 ageout-time 10

30
Example: Configuring Firewall Event Rate Monitoring
Example: Configuring Aggressive Aging for a Default VRF

Device(config-profile)# max-incomplete 2000 aggressive-aging high 1500 low 1200
Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60
Example: Configuring the Aging Out of Firewall Sessions

Device(config-profile)# vrf vrf1 inspect vrf1-pmap
Device(config-profile)# tcp idle-time 3000 ageout-time 100
Device(config)# policy-map type inspect ddos-fw
Device(config-profile)# class type inspect match-any ddos-class
Device(config-profile)# inspect pmap1
Example: Configuring per-VRF Aggressive Aging

Device(config)# ip vrf ddos-vrf1
Device(config-vrf)# rd 100:2
Device(config-vrf)# route-target export 100:2
Device(config-vrf)# route-target import 100:2
Device(config-vrf)# exit
Device(config)# parameter-map type inspect-vrf vrf1-pmap
Device(config-profile)# max-incomplete 3455 aggressive-aging high 2345 low 2255
Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60
Device(config-profile)# tcp idle-time 3000 ageout-time 100
Device(config)# policy-map type inspect ddos-fw
Device(config-pmap)# class type inspect match-any ddos-class
Example: Configuring Firewall Event Rate Monitoring

Device> enable
Device(config)# parameter-map type inspect zone zone-pmap1
Device(config-profile)# threat-detection basic-threat
Device(config-profile)# threat-detection rate fw-drop average-time-frame 600 average-threshold

31
Example: Configuring the per-Box Half-Opened Session Limit
Device(config-profile)# threat-detection rate inspect-drop average-time-frame 600

Device(config-profile)# threat-detection rate syn-attack average-time-frame 600
Device(config-sec-zone)# protection zone-pmap1
Device(config)# zone-pair security private2public source private destination public
Device(config-sec-zone-pair)# end
Example: Configuring the per-Box Half-Opened Session Limit

Device(config-profile)# per-box max-incomplete 12345
Example: Configuring the Half-Opened Session Limit for an Inspect VRF

Parameter Map
Device(config)# parameter-map type inspect vrf vrf1-pmap
Example: Configuring the Global TCP SYN Flood Limit

Device(config-profile)# per-box tcp syn-flood limit 500
Additional References for Protection Against Distributed Denial

of Service Attacks
Related Documents
Related Topic Document Title

Cisco IOS commands Cisco IOS Master Command List, All Releases

32
Feature Information for Protection Against Distributed Denial of Service Attacks
Related Topic Document Title

Security commands Cisco IOS Security Command Reference
Firewall resource management Configuring Firewall Resource Management feature
Firewall TCP SYN cookie Configuring Firewall TCP SYN Cookie feature
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Feature Information for Protection Against Distributed Denial

of Service Attacks
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

33
Feature Information for Protection Against Distributed Denial of Service Attacks
Table 2: Feature Information for Protection Against Distributed Denial of Service Attacks
Feature Name Releases Feature Information

Protection Against Distributed Cisco IOS XE Release The Protection Against Distributed Denial of
Denial of Service Attacks 3.4S Service Attacks feature provides protection from
DoS attacks at the per-box level (for all firewall
sessions) and at the VRF level. You can
configure the aggressive aging of firewall
sessions, event rate monitoring of firewall
sessions, the half-opened connections limit, and
global TCP SYN cookie protection to prevent
DDoS attacks.
The following commands were introduced or
modified: clear policy-firewall stats global,
max-incomplete, max-incomplete
aggressive-aging, per-box aggressive-aging,
per-box max-incomplete, per-box
max-incomplete aggressive-aging, per-box tcp
syn-flood limit, session total, show
policy-firewall stats global, show
policy-firewall stats zone, threat-detection
basic-threat, threat-detection rate, and udp
half-open.

34

Sec Ddos Attack Prevn

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sec Ddos Attack Prevn

Uploaded by

Copyright:

Available Formats

Protection Against Distributed Denial of Service

• Finding Feature Information, page 1

Finding Feature Information

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Information About Protection Against Distributed Denial of

Aggressive Aging of Firewall Sessions

Event Rate Monitoring Feature

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Table 1: Basic Threat Detection Default Settings

Packet Drop Reason Threat Detection Settings

Inspection-based firewall drops average-rate 400 pps

SYN attack firewall drops average-rate 100 pps

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Half-Opened Connections Limit

TCP SYN-Flood Attacks

How to Configure Protection Against Distributed Denial of

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

• Create a security destination zone.

Command or Action Purpose

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Step 7 redundancy Enables firewall high availability.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Step 11 inspect Enables stateful packet inspection.

Step 13 class class-default Configures the default class on which an action is to be

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Step 25 ip address ip-address mask Configures an IP address for the subinterface.

Step 27 zone-member security security-zone-name Configures the interface as a zone member.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Step 28 end Exits subinterface configuration mode and enters privileged

Step 29 To attach a zone to another interface, repeat Steps —

Configuring the Aggressive Aging of Firewall Sessions

Configuring per-Box Aggressive Aging

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Configuring Aggressive Aging for a Default VRF

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Configuring the Aging Out of Firewall Sessions

4. vrf vrf-name inspect vrf-pmap-name

Command or Action Purpose

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

Example: • Skip Step 4 if you configure the parameter-map type

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Command or Action Purpose

VRF: vrf1, Parameter-Map: vrf1-pmap

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S

Interface reference count: 2

TCP Syn Flood Half Open Count: 0, Exceed: 12